Prior to XenDesktop 7, Citrix XenApp and XenDesktop distributions have been delivered together with Webinterface. Administrators had to configure the access point services Web Services and Site Services which work above Microsoft Internet Information Services. By default these services had to be configured for unencrypted HTTP protocol. Those, who wanted to secure access to XenApp and XenDesktop, could achieve this by uploading a certificate to the Web Interface servers and then change the binding of this service to HTTPS. The more sophisticated and vendor-recommended method to secure access to a citrix farm or site makes use of additional components like Secure Gateway, Access Gateway or NetScaler which has to be placed between Clients and the farm. The architecture then corresponded to the following figure.

Access Gateway and NetScaler, in contrast to Secure Gateway, can handle the point of authentication themselves on a user’s request to open a session. According to the configured policy, the systems consult a locally configured password management or they query an external directory service like LDAP or RADIUS. With such a configuration, NetScaler appliances for example provide the user with a login screen that looks similar to the following screenshot.

Basically, it is possible to customize the appearance of the NetScaler Logon dialog according toindividual needs. Some suitable alternatives are available from various authors. However, most of the available themed logon Screens are not officially supported by Citrix. Be informed that usually the manufacturer does not feel responsible for malfunction after unauthorized modifications on hardened system software. In a worst case this may lead to void a valid maintenance contract.

The alternative is to place the login dialog outside of NetScaler or Access Gateway. On a virtual NetScaler Access Gateway server configuration page, authentication tab, one simply has to deselect the checkbox „Enable Authentication“.

NetScaler now acts as a gateway to XenDesktop 7 who forwards incoming HTTP requests to StoreFront. Storefront recognizes beeing delievered by NetScaler. However, instead of presenting a login screen Storefront reacts with the comment, the request could not be completed.

At NetScaler, a query to the list of currently active user sessions shows an active session is maintained between a workstation with IP 192.168.199.151 and a virtual NetScaler server 192.168.199.222 without a known user account.

Cause of the behavior is that the administrator forgot to tell StoreFront that now he himself is responsible for authentication of the user. Administrators of XenApp 6.5 and XenDesktop 5.6 know the problem and, when creating a web service for Web Interface 5.4, they configure the point of authentication at Web Interface.

However, the article does not point out to which version of Storefront it refers (This document applies to XenDesktop 5.6 x32). For now, the manufacturer currently only offers Storefront Storefront 1.2 and 2.0 on ist website for download. Since Storefront 1.2, the „Management Methods Logon“ option is missing at configuration page „Receiver for Web“.

Actually, StoreFront managed several services on a store. A look at the configuration of Internet Information Services (IIS) Manager provides information about the complex hierarchy that StoreFront operates on.

If only one desktop has been published to the user, then StoreFront will immediately start this desktop, regardless of any additional published applications. This situation can be changed in the configuration of StoreWeb.